Cybersecurity Through the Lens of Rock Climbing

I’ve been to a lot of kid’s sporting events in the last decade plus. They have their moments, but I think I speak for all parents who are not living vicariously through their child’s prowess on the field of play when I say there are a few dozen places you’d rather be than sitting on a cooler of orange slices and water bottles on a Saturday morning.

But since we’re fond of making sports a metaphor for so many other things in life — or is it the other way around — I thought I’d point out a couple of lessons that rock climbing (yes, they have competitions) teaches us in security.

Everything is harder than it looks. When my son started rock climbing he was all about using his arms, with predictable results. It wasn’t until he realized the importance of using all four limbs that he really started to have success. There is no shortage of recommendations or guidance or frameworks that one can use to help secure an enterprise, but if it was as easy as installing anti-virus, telling the CEO there are bad guys out there, and checking boxes on a list, my SF86 wouldn’t be in Beijing.

There is a significant difference between practice and real life. Climbing gyms have all sorts of different configurations on their walls, but they cannot always replicate what you’ll find in the wild. Sometimes, there isn’t a convenient hand- or foot-hold to get you over the top. Sometimes you hit a dead end and have to find another way around. In security maybe that’s a corporate policy (or raison d’etre). Maybe its a regulation or even a physical constraint. Regardless, you need to be prepared to take a long, winding route to your goal, or accept that what needs doing is one crag too far.

You need strength in your core and at the extremities. Having a strong grip is great, but without a high level of strength and mobility in your abdomen, shoulders, and hips, you will find it very hard to get up and out of tight spots. Better security requires a range of talents, tools, and methods. You’ve got to work on them all, and in a coordinated fashion with the rest of the organization, to succeed.

Energy drains quickly. A given bouldering problem may be both vertical and horizontal. The distance traversed may not be long, but crawling on all fours, upside-down, is not a party. Trying to achieve security goals can be equally challenging and exhausting. You’re always the person who says, ‘no’. You’re always fighting for resources, and respect. You’re always the scapegoat. At some point everyone asks, “why bother?”

No one gets through the hard stuff the first time. Everyone who makes going through a high V-rated route look easy only does so because they fell on their backsides more often than they reached the top. They make it look easy because they know what doesn’t work. Senior practitioners, successful CISOs, they all failed a lot before they won.